At present, practically all companies and organizations are represented in one way or another on the Internet, and many of them use the Internet as a business tool. At the same time, the Internet does not provide proper protection of services “by default”. Furthermore, it is not possible today to defend against a number of Internet threats by personal protection means such as firewalls, attack prevention systems, antivirus, and so forth. A glaring example of such threats is the distributed denial-of-service (DDoS) attack.
A denial-of-service (DoS) attack is a cyber-attack on a computer system in order to cause it to fail, that is, the creation of such conditions in which legitimate (authorized) users cannot gain access to the resources (servers) being provided by the system, or in which such access is slower or more difficult. The motives for such attacks may differ widely—they may serve as elements of competitive activity, a means of extortion, revenge, an expression of discontent, a demonstration of capabilities or an attracting of attention, which is most often treated as cyberterrorism. If the attack is conducted simultaneously from a large number of computers, one speaks of a DDoS attack (Distributed Denial of Service). Two main varieties of DDoS attack exist: attacks on bandwidth and attacks on applications.
Attacks on bandwidth operate by clogging the communication channels, allocated bandwidth, and equipment with a large number of packets. The chosen victims are routers, servers, and firewalls, each of which has only limited processing resources (such as memory buffers, network interface bandwidth). Under the influence of the attack, these devices may become unavailable for the handling of proper transactions (i.e., legitimate requests), or they may crash under the unanticipated heavy workload. The most common form of a cyber-attack based on clogging bandwidth is a so-called avalanche attack with packet dispatching, during which a large number of seemingly trustworthy packets of the Transport Control Protocol (TCP), the user datagram protocol (UDP), or the Internet Control Message Protocol (ICMP) are sent to a particular point.
Attacks on applications operate by exploiting features of the behavior of networking protocols (TCP, HTTP and others), and also the behavior of services and applications, and seizes the computing resources of the computer on which the object of the attack is running, not allowing it to handle legitimate transactions and requests. Examples of an attack on applications are attacks with half-open HTTP connections and attacks with erroneous HTTP connections.
Recently, so-called “Slow-Rate” or “Low and Slow” attacks are becoming increasingly popular. Such attacks utilize deficiencies in the implementation of applications at the service end (such as a web server) and make it possible to put an important service at the server end out of commission by using only a small number of requests. The traffic volume which is generated during such an attack may be extremely slight, and therefore the detection and mitigation methods for attacks on bandwidth prove to be ineffective. Further, slow-rate attacks involve seemingly legitimate traffic (i.e., in term of protocol rules) which does not violate network standards or common security policies. As such, traditional detection and mitigation methods of attacks on applications often unable to distinguish such malicious data packets from legitimate ones because of their similarity.
An example of such a slow-rate attack is the Slowloris attack. This method of attack may even be carried out by a single computer. This attack involves sending incomplete HTTP requests (partial ones, e.g., for a GET request), where the host afterwards sends additional headers, but the request itself is never completed. Thus, the server reserves all the sockets for HTTP processing, which results in a denial of service of other clients. The attack takes a long time.
In a number of recent patent publications, such as United States Publication No. 2016/0226896, it has been proposed to perform an analysis of the data based on a network protocol, specifically the Secure Sockets Layer (SSL) protocol. Such analysis is highly protocol-specific, however. As such, the known analytical techniques may be rendered useless in detecting or mitigating such slow-rate attacks in the event that future attacks utilize other protocols or if the specific protocol changes (e.g., in a next version). A more flexible and universal solution is needed for the analysis of data packets from users regardless of the protocol being used for an earlier determination of a possible network attack on a server.
Moreover, cases are known where another attack was carried out behind a DDoS attack, known as a targeted cyberattack or Advanced Persistent Threat (APT). Therefore, a solution is needed which is able not only to discover and neutralize a DDoS attack, but also to provide feedback to the entire protective infrastructure of the organization at which the DDoS attack is directed. An analysis of the existing prior art leads to the conclusion that the previous technologies are ineffective and in certain cases cannot be applied, and their deficiencies are solved by the aspects of present disclosure.